At
https://demo904.ofbiz.org/catalog/control/setUserPreference?userPrefGroupTypeId=GLOBAL_PREFERENCES&userPrefTypeId=COMPACT_HEADER&userPrefValue=Y
I get see this message.
Found URL parameter [userPrefTypeId] passed to secure (https) request-map with uri [setUserPreference] with an event that calls
service [setUserPreference]; this is not allowed for security reasons! The data should be encrypted by making it part of the request
body (a form field) instead of the request URL.
I thought we gave up with this message (or just have it only in log?). But I was just thinking about that yesterday and I think that
we should contunue to have it in trunk and not in 9.04. So we will be able to catch them (before having a tool to list them all, I
hope to work on that next week) without disturbing 9.04 users
WDYT ?
Jacques
- Secured URLs strategy Jacques Le Roux
-
